Wildcard DNS Server and iRules

You need a space between matchclass and [IP::client_addr].

It would have been nice to be that easy but...no. It still doesn't work. I tried it before, with or without space and the result was the same.

Are you getting the same TCL error after introducing the space? What does your class look like?

Sorry I missed that detail...no I am not getting the same TCL error.

 

 

The moment I enable the iRule on the VS, all DNS traffic dies...regardless if they are or they are not members of the class "x_group".

 

 

The "x_group" class is an Address type and has four hosts in it, which are located on the BIG-IP internal network.

 

 

The "DNS" servers pool contains four possible DNS destinations and the "DNS" pool is assigned as a default pool on the wildcard VS.

 

 

The wildcard VS is available on the Internal VLAN only.

 

 

Thanks...Maxim

Are you getting any other Tcl errors in the ltm log? Tcl is somewhat picky about having/not having whitespace in all the right places. I certainly don't see anything wrong with what you are doing in the iRule that would cause it to fail.

I am sorry to waste your time but the whole drama was on the firewall in front of the BIG-IP...it was allowing udp/53 for the SNAT IP address to specific servers only causing DNS traffic to any other servers from the x_group clients with SNAT 10.10.10.10 to fail. Anyway, what I have now is the following and I think it should work fine after I resolve few other issues:

 

 

when CLIENT_ACCEPTED {

 

if {[matchclass [IP::client_addr] eq $::x_group]

 

and [matchclass [IP::remote_addr] eq $::dns_servers]} {

 

snat 10.10.10.10

 

rateclass one_mb}

 

}

 

 

I have just one more question:

 

 

What can I do to ensure that none of the other client servers fall under the above iRule when they do DNS lookups?

 

 

I removed the "else...snat none" statement, because all other servers were failing DNS lookups considering the fact that the VS is 0.0.0.0:53 UDP profile, hence managing all DNS traffic, and the "snat none" was sending the other client servers to the firewall with their real addresses and of course they were getting nowhere since I have to translate them before they get to the firewall.

 

 

I am looking for something that will say..."if client server doesn't match any of the above classes, let it do its NAT and don't assign rateclass."

 

 

thanks for your patience and support.

Thanks Colin. I thought as much but wanted to be sure.

 

 

I had to completely change my strategy as I got to a point where I was runnng 3 rules to accomplish a relatively simple objective. On top of everything I was confusing the [IP::local_addr] with the [IP::remote_addr] variables and lost a lot of sleep until I found the error but now things are OK. I almost started loosing faith in BIG-IP's abilities but I somehow knew that that can't be true and I must be doing something wrong. Anyway, this is the final state of my rule to manage DNS traffic:

 

 

when CLIENT_ACCEPTED {

 

if {[matchclass [IP::client_addr] eq $::dns_clients]

 

and ! [matchclass [IP::local_addr] eq $::five_vlans]} {

 

snat 10.10.10.10

 

rateclass one_mb}

 

}

 

 

The above is assigned to a 0.0.0.0:53 Forwarding (IP) type VS with UDP profile and without SNAT, Rate Class, or Port translation settings.

 

 

Thank you and the whole iRule support team for your help. This is the second time I turn to you for help and in both cases I have received fast and professional help.

 

 

Regards, Maxim